Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
constructor(scope: Construct, id: string, props: AutoScalingGroupProps) {
super(scope, id);
this.securityGroup = new ec2.SecurityGroup(this, 'InstanceSecurityGroup', {
vpc: props.vpc,
allowAllOutbound: props.allowAllOutbound !== false
});
this.connections = new ec2.Connections({ securityGroups: [this.securityGroup] });
this.securityGroups.push(this.securityGroup);
this.node.applyAspect(new Tag(NAME_TAG, this.node.path));
this.role = props.role || new iam.Role(this, 'InstanceRole', {
roleName: PhysicalName.GENERATE_IF_NEEDED,
assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com')
});
this.grantPrincipal = this.role;
const iamProfile = new iam.CfnInstanceProfile(this, 'InstanceProfile', {
roles: [ this.role.roleName ]
});
// use delayed evaluation
const imageConfig = props.machineImage.getImage(this);
this.userData = props.userData || imageConfig.userData || ec2.UserData.forOperatingSystem(imageConfig.osType);
const userDataToken = Lazy.stringValue({ produce: () => Fn.base64(this.userData.render()) });
const tagAllSubnets = (type: string, subnets: ec2.ISubnet[], tag: string) => {
for (const subnet of subnets) {
// if this is not a concrete subnet, attach a construct warning
if (!ec2.Subnet.isVpcSubnet(subnet)) {
// message (if token): "could not auto-tag public/private subnet with tag..."
// message (if not token): "count not auto-tag public/private subnet xxxxx with tag..."
const subnetID = Token.isUnresolved(subnet.subnetId) ? '' : ` ${subnet.subnetId}`;
this.node.addWarning(`Could not auto-tag ${type} subnet${subnetID} with "${tag}=1", please remember to do this manually`);
continue;
}
subnet.node.applyAspect(new Tag(tag, "1"));
}
};
private tagSubnets() {
for (const subnet of this.vpc.privateSubnets) {
if (!Subnet.isVpcSubnet(subnet)) {
// Just give up, all of them will be the same.
this.node.addWarning('Could not auto-tag private subnets with "kubernetes.io/role/internal-elb=1", please remember to do this manually');
return;
}
subnet.node.applyAspect(new Tag("kubernetes.io/role/internal-elb", "1"));
}
}
}
this.privateSubnets.push(privateSubnet);
subnet = privateSubnet;
break;
case SubnetType.ISOLATED:
const isolatedSubnet = new PrivateSubnet(this, name, subnetProps);
this.isolatedSubnets.push(isolatedSubnet);
subnet = isolatedSubnet;
break;
default:
throw new Error(`Unrecognized subnet type: ${subnetConfig.subnetType}`);
}
// These values will be used to recover the config upon provider import
const includeResourceTypes = [CfnSubnet.CFN_RESOURCE_TYPE_NAME];
subnet.node.applyAspect(new Tag(SUBNETNAME_TAG, subnetConfig.name, {includeResourceTypes}));
subnet.node.applyAspect(new Tag(SUBNETTYPE_TAG, subnetTypeTagValue(subnetConfig.subnetType), {includeResourceTypes}));
});
}
const privateSubnet = new PrivateSubnet(this, name, subnetProps);
this.privateSubnets.push(privateSubnet);
subnet = privateSubnet;
break;
case SubnetType.ISOLATED:
const isolatedSubnet = new PrivateSubnet(this, name, subnetProps);
this.isolatedSubnets.push(isolatedSubnet);
subnet = isolatedSubnet;
break;
default:
throw new Error(`Unrecognized subnet type: ${subnetConfig.subnetType}`);
}
// These values will be used to recover the config upon provider import
const includeResourceTypes = [CfnSubnet.CFN_RESOURCE_TYPE_NAME];
subnet.node.applyAspect(new Tag(SUBNETNAME_TAG, subnetConfig.name, {includeResourceTypes}));
subnet.node.applyAspect(new Tag(SUBNETTYPE_TAG, subnetTypeTagValue(subnetConfig.subnetType), {includeResourceTypes}));
});
}
autoScalingGroup.connections.allowToAnyIpv4(ec2.Port.allUdp());
autoScalingGroup.connections.allowToAnyIpv4(ec2.Port.allIcmp());
autoScalingGroup.addUserData(
'set -o xtrace',
`/etc/eks/bootstrap.sh ${this.clusterName} --use-max-pods ${options.maxPods}`,
);
// FIXME: Add a cfn-signal call once we've sorted out UserData and can write reliable
// signaling scripts: https://github.com/aws/aws-cdk/issues/623
autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEKSWorkerNodePolicy'));
autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEKS_CNI_Policy'));
autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly'));
// EKS Required Tags
autoScalingGroup.node.applyAspect(new Tag(`kubernetes.io/cluster/${this.clusterName}`, 'owned', { applyToLaunchedInstances: true }));
// Create an CfnOutput for the Instance Role ARN (need to paste it into aws-auth-cm.yaml)
new CfnOutput(autoScalingGroup, 'InstanceRoleARN', {
value: autoScalingGroup.role.roleArn
});
if (options.mapRole === true && !this.kubectlEnabled) {
throw new Error(`Cannot map instance IAM role to RBAC if kubectl is disabled for the cluster`);
}
// do not attempt to map the role if `kubectl` is not enabled for this
// cluster or if `mapRole` is set to false. By default this should happen.
const mapRole = options.mapRole === undefined ? true : options.mapRole;
if (mapRole && this.kubectlEnabled) {
// see https://docs.aws.amazon.com/en_us/eks/latest/userguide/add-user-role.html
this.awsAuth.addRoleMapping(autoScalingGroup.role, {